Chinese hackers used a memory flaw in Internet Explorer to carry out a series of highly sophisticated attacks, which stole info from Google, Adobe, and others. (Source: Tech Freep)

Microsoft is apologetic about the incident and is working to help affected companies

While making a browser can pave the way
to lucrative advertising revenue contracts, it can also be a headache
in terms of providing the user with security, as users will typically
interact with a broad variety of websites, some of which may be
compromised or insecure. When you're the top player in the
browser market, like Microsoft, this problem becomes especially
serious.

Microsoft typically has a pretty
good security track record, but under the enormous pressure of
safeguarding millions of business users, cracks in its armor can
appear. Thus was the case with a new flaw in Microsoft Internet
Explorer, which the company posted an advisory
(97352) about yesterday.

The advisory describes, "The
vulnerability exists as an invalid pointer reference within Internet
Explorer. It is possible under certain conditions for the invalid
pointer to be accessed after an object is deleted. In a
specially-crafted attack, in attempting to access a freed object,
Internet Explorer can be caused to allow remote code
execution."

McAfee's George Kurtz was the first to post
on the flaw, with a security
blog yesterday afternoon. He offered more details about the
DOM memory corruption vulnerability and revealed that it had been
used by attackers in China to steal info from Google. This was
somewhat unusual, as often flaws get published with nary a "in
the wild" attack, or at worst mild attacks on individual
users.

In this case the flaw wasn't overly severe, but the
attackers were unusually sophisticated and struck out at businesses,
looking to steal their data. Writes
Dmitri Alperovitch, a vice president of research with McAfee, "We
have never seen attacks of this sophistication in the commercial
space. We have previously only seen them in the government
space."

Despite the fact that Google makes its own
browser (Chrome), apparently many of Google's corporate computers
instead use rival Microsoft's Internet Explorer, the standard in the
business world. As Internet Explorer 8's Data Execution
Prevention (DEP) is enabled by default, and would have to be turned
off for the flaw to work, it seems likely that Google uses IE 6 or IE
7. This is actually quite typical -- IE 8 adoption in the
business world has been a slow process -- many businesses still use
IE 6, even. The DEP protections are optional in IE 7.

Once the attackers
execute the memory attack, they use it to download and run an
executable -- a malicious trojan that allows remote access to
corporate machines. The entire set of attacks has become known
as "Operation Aurora". Aside from Google, other high
profile targets lost potentially sensitive information, including
design software maker Adobe Systems Inc. (though Adobe insists that
it lost no IP). Google and Adobe are both reportedly trying to
help Microsoft investigate the attacks.

Microsoft CEO Steve
Ballmer apologized for the security mishap, stating, "We need to
take all cyber attacks, not just this one, seriously. We have a whole
team of people that responds in very real time to any report that it
may have something to do with our software, which we don't know
yet."

One bothersome detail, though, is that Microsoft
apparently has known about the flaw and existence of attacks in the
wild for some time, but did not publish a security advisor until
after McAfee aired the flaw. This meant that while high profile
business users likely knew about the flaw, most private users were
left unaware of the danger (albeit, fewer private users run IE 6 or
IE 7 than business users).

The attack on Google occurred in
mid-December, so the attacks have been live for almost a month now,
at least. Reportedly 20 other major companies have since been
compromised. Currently, the only complete solution that offers
complete protection against the attack is to adopt IE 8 or turn on
DEP in IE 7. McAfee has aired security software updates that
provide partial protection against the malware associated with the
attack, but it warns that current coverage is complete

If
there's one moral of this story, it's not so much anything to do with
Microsoft or Google, but more an observation of the state of internet
security in general. As many observers have noted, attackers in
recent years are becoming bolder, more organized, and in it for the
money.

Unlike hackers of yore that largely hacked for
respect or fame, this new breed of attacker, largely based out of
Eastern Europe, Russia, Africa, and China, hacks
for profit. That presents a unique challenge to firms like
Microsoft. A kid hacking into Google would be a bad enough, but
a savvy professional who knows how to leverage the stolen information
-- that's a security nightmare. And it's one that's quickly
becoming reality, as evidenced by this most recent round of attacks.

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

What a lot of people do not understand is that businesses, for this reason, do not adopt newer software as there is always something some one forgot and needs to be fixed. So they usually use a software until it is not longer supported for two resons.1. It is safe for thier network in the fact it is not going to crash something else as it has not done so as of yet.2. It is cheaper as they don't lose productivity in emaployees having to be trained as often.

When a large company makes a change in thier software as major as Internet Explorer it has to be extensively tested in as many scenarios as possible before they will roll it out to an entire company. I personally rolled my IE back from 8 to 7 30 minues after I installed it. There was a problem with the way it displayed a favorite page of mine. I would put my mouse on a link and that link would drop 4 inches. Move the mouse down and it would jump back up. It is the same for companies. Imagine they rolled out IE8 to 500,000 employees and this is a small number. The next day they have 500,000 tech support calls due to an issue with the new software. I would hate to be the person who gave the go ahead to roll it out. That is the reason companies are still using older versions. After this most may upgrade to 7 so they can use the DEP but then again who knows. :) Hopefully this gets read and understood by those who do not.

"Nowadays you can buy a CPU cheaper than the CPU fan." -- Unnamed AMD executive